Bug bounty hunter exposes Monero bug enabling theft from exchanges
According to reports, the hackers managed to make use of old-fashioned social engineering to forge transaction data and use it to manipulate the support staff into crediting their accounts manually with extra XMR. The bug planted by the hackers multiplied the transactions, making it easier for the staff to approve dodgy transactions and credit these accounts. Reports showed that the attackers could exploit this repeatedly until they completely siphon all the money on an exchange.
Jason Rhineland, a Canadian Ph.D. candidate in Economics at Queens University, submitted a post on HackerOne revealing the system vulnerability. At the time of his post, the “business logic errors” are still active in Monero’s system. The bug was ranked 9 out of a possible 10, making it a “critical” in terms of severity.
Reports also show that the bug affected other Monero-based coins. According to reports, the attackers managed to steal ARQ coins from Altex, a wallet exchange desk. Altex has already alerted its users and all other virtual currencies in the ecosystem about the issue. It also suspended operations until proper measures have been put in place. It is yet unclear how much money the operator lost during the hack. The small operator said that they have suffered a big loss.
Reports on the HackerOne bug bounty program showed that five more operators have been affected by the recent attack on Monero’s system in the last 24 hours. The flaw has since been fixed in Monero’s system, but it is still unclear whether other affected systems have tackled the issue.
Bug bounty programs have helped stop many hacking threats by pointing out system shortcoming beforehand. Virtual exchanges and other cryptocurrency business are benefiting from these programs. Just a few weeks ago, bug bounties collected $24,000 in one week from four different blockchain projects.
To receive the latest CoinGeek.com news, special discounts on CoinGeek Conferences and other inside information direct to your inbox, please sign up for our mailing list.